In this issue

Win32 remote command execution

Yesterday, Sanctum inc. released
a security advisory about a vulnerability in Apache for Win32 platforms.
They found that remote commands can be executed during the processing of
batch files.

Although they class this as a high risk, it should be noted that
the vulnerability only affects the default installation of Apache 2.0
alpha and beta releases because they ship with an example batch
file. Exploitation of this vulnerability on Apache 1.3 for Win32
requires that the administrator has set up '.bat' or '.cmd' batch
file scripts.

The problem occurs because the input is not properly validated. It
is possible to append commands as parameters to the batch file CGI
script and have the shell interpreter execute them.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2002-0061 to this issue.

This issue does not affect Unix versions of Apache. This issue is
fixed in Apache 1.3.24 and Apache 2.0.34.
As a work-around users of Apache on Win32 should disable any batch file
CGI scripts.

SGI warns of Apache vulnerabilities on IRIX

ZDNet News reports that SGI are
warning of Apache-IRIX
vulnerabilities. However none of these vulnerabilities are new or in fact
particularly serious, they are
simply the problems that were found in Apache 1.3.22 which is the
version of Apache currently
shipped with IRIX 6.5. Find out more
about the security issues in Apache httpd 1.3.22.

A new Apache 1.3 release, 1.3.24, was made ready for testing this
week. Along with the security fix for Win32 users
covered above, the 1.3.24 release has many fixes
to the new mod_proxy code introduced in 1.3.23, and
the usual set of minor bug and portability fixes. The release is due
to be made public on Saturday, after testing is complete.

Apache 2.0's behaviour when restarting and shutting down was under
discussion again this week, after problems were found in several
different places: daemon processes created by
mod_cgid could be left running after a restart, and
connections could be dropped in graceful restarts and shutdowns. A
"graceful shutdown" occurs on certain fatal error conditions which can
be handled without dropping existing client connections. Fixes were
checked in by Jeff Trawick.

In this section we highlight some of the articles on the web that are of
interest to Apache users.

"User Authentication With Apache And PHP"
shows you how to implement basic access control by using built-in Apache
authentication. After looking at various situations where it is preferable
to write your own code, it then demonstrates how to use PHP with its
built-in session management support to write your own custom code to
authenticate users, maintain session information, handle login/logout
operations, and validate users against information stored in a MySQL
database.

In
"Generating Web content with Cocoon"
Michael Classen first compares the new version of Cocoon with its
predecessor. He then explains that the pipeline is the main concept
in Cocoon as Cocoon generates content on the Web by piping XML
through a configurable set of tools, and proceeds to briefly illustrate
how this is easily done.

We sign off this section with a light personal account from Ken Coar
about
NordU2002 in Helsinki, Finland.
He has a good tip for wireless world travellers.